[Poodle] SSLv3.0 vulnerability mitigations cause RHC to fail.
Environment
- OpenShift Enterprise
- OpenShift Online
Issue
- After disabling SSLv3 due to the recent SSLv3.0 vulnerability and following the Resolution for POODLE SSLv3.0 vulnerability (CVE-2014-3566) in httpd steps, RHC returns the below error:
# rhc apps
A secure connection could not be established to the server (SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure). You may disable secure connections to your server with
the -k (or --insecure) option 'https://broker.domain.com/broker/rest/api'.
The "sslv3 alert handshake failure" is the signature of this problem. Other similar error strings may be caused by other issues, e.g. the broker presenting a self-signed certificate.
Resolution
Add the following to the .openshift/express.conf to set a non SSLv3 protocol. This file is usually located in a user's home directory.
ssl_version=tlsv1
Alternatively you can add the following to the .openshift/servers.yml to set a non SSLv3 protocol, if you have multiple servers configured.
- Note: if the .openshift/servers.yml is used to connect you to your OpenShift broker this configuration takes precedence over the .openshift/express.conf file.
- server:
...
ssl_version: tlsv1
You should only need to modify an existing file to resolve this issue. If the file does not exist you either have not setup rhc, or it is not being used by rhc.
Root Cause
The ruby httpclient gem (which is used for accessing the broker) defaulted to using SSLv3 as the SSL protocol until version 2.4.0. Updating this gem also resolves the problem as later versions work with TLSv1 by default.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments